TECH EXCHANGE | A ZDNet Multiplexer Blog What's this?

Why's it so hard to say yes?

The average security team has a reputation of saying "no" to everything. This could come down to two things - training and leadership.

I can't count how many times I've read in news groups and social media feeds, about security people wondering why the business doesn't listen to them. Especially when "we're here to enable them", or "we're helping people understand risk". Yet the average security team has a reputation of saying "no" to everything ("The Handbrake to Happiness" as a colleague recently said to me).

I've spent a bit of time in recent years trying to work out why. It always seems to come down to two main areas - training and leadership.

On the training side - many of us started our security career in some technical area with a job that involved breaking things - penetration testing or the like. In my case I pulled apart security products to show flaws and disassembled viruses. At the same time, the average junior security recruit is being taught everything there is to know about things that go wrong in IT and is reading all the media available on bad things happening.

Strangely enough the average junior person in security starts getting slightly paranoid.

So when they get a bit of experience and they start being the people we approach for advice - the advice they give is generally all the reasons you shouldn't do the things you want to do. Sounds very close to a "no"! And over time that becomes reinforced. Whenever there is an incident, the security team is asked to explain. As a professional we find ourselves getting more and more risk averse. Rather than trying to work out how to enable someone, we focus on why what they are doing is bad.

The leadership side is a bit more subtle. I went to a conference quite a few years back where we had the physical security leader for a very large multinational come and talk. He looked after site and personnel security globally. He talked about the mission of his group.

I was expecting it to be something standard - to protect the company's people and assets or the like. But it was quite a bit more powerful than that. It was "to enable the company to safely do business in the most dangerous countries in the world". That was an eye opener for me. He'd linked the team's mission to the company's global strategy. He didn't try to keep the company out of a dangerous country - he thought about how to get them in safely.

The cyber security world is the same. I often hear about security teams who are so worried about preventing bad things that they are stifling the business growth and agility.

Now don't get me wrong - our job is absolutely to keep our company's data safe. But it's much more than that. Like every part of the business we're here to make the company successful. And paradoxically I've found security teams are far more successful when they focus on enabling. If I stand in the way of something - I'm likely to be swept aside. But if I support it there's a much better chance for me to get some controls in place. And what's even better is people are more likely to approach me.

So if you're leading a security team - ask yourself whether you are enabling as well as protecting the company. If you're a security professional - next time someone asks you to say yes to something - find a way to help them do what they want safely.

For more security go to Telstra Exchange.